Steam security issue exposes users’ personal information

It’s the middle of Steam’s big winter sale, which means a huge number of people are browsing, buying, and playing games right now on the platform. Some of them, however, seem to have tripped into a major security hole earlier today. A variety of users on Twitter, NeoGAF, and Reddit first noted that they can see other users’ account information — including addresses and credit card data — instead of their own details.

Valve, which owns and operates Steam, confirmed in an email to The Verge that the issue was an internal error and it has been fixed. “Steam is back up and running without any known issues,” a company spokesperson said. The company is blaming a “configuration change” earlier today that randomly let some Steam users view others’ account pages, but it says the window was no longer than one hour. “We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users,” they added.

It’s unclear why the company is showing no element of contrition here, considering that its users’ personal data was exposed — a fact that it does not deny.

It’s also not totally clear how many users were affected. At least one of us at The Verge was able to replicate it, along with other problems, like being intermittently logged out while browsing the catalog or seeing the storefront in various, apparently random languages. In a message on Steam’s forums, a moderator earlier today said, “Steam is not hacked,” and that “credit card info and phone numbers are, as required by law, censored and not visible to users.”

Update December 25th, 4:30PM ET: Visiting Steam’s website or store now returns an error, although games on the service remain playable. There’s still no official explanation, but one popular theory holds that Steam is incorrectly caching account pages and rendering them for other users.

Update December 25th, 5:50PM ET: Added Steam forum update. Steam’s store appears to be back online, although we don’t know how stable and/or safe it is, and attempting to pull up the account details page still returns an error.